Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next

1

Share

DevOps Fest 2019. Philipp Krenn. Hands-On ModSecurity and Logging

This talk combines two of the OWASP top ten security risks:
* Injections (A1:2017): We are using a simple application that is exploitable by an injection and will then secure it with ModSecurity.
* Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack.
To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Related Books

Free with a 30 day trial from Scribd

See all

DevOps Fest 2019. Philipp Krenn. Hands-On ModSecurity and Logging

  1. 1. Hands-On ModSecurity and Logging Philipp Krenn @xeraa
  2. 2. Let's talk about security... @xeraa
  3. 3. @xeraa
  4. 4. A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa
  5. 5. @xeraa
  6. 6. A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa
  7. 7. @xeraa
  8. 8. Developer @xeraa
  9. 9. Disclaimer I build highly monitored Hello World apps @xeraa
  10. 10. Hello World of SQL Injection: https://xeraa.wtf @xeraa
  11. 11. https://xeraa.wtf/read.php?id=1 @xeraa
  12. 12. @xeraa
  13. 13. python sqlmap.py --url "https://xeraa.wtf/read.php?id=1" -- purge @xeraa
  14. 14. Injection ;INSERT INTO employees (id,name,city,salary) VALUES (4,'new','employee',10000) @xeraa
  15. 15. No Escaping Either ;INSERT INTO employees (id,name,city,salary) VALUES (5,'<script>alert("hello")</script>','evil',0) @xeraa
  16. 16. @xeraa
  17. 17. @xeraa
  18. 18. @xeraa
  19. 19. @xeraa
  20. 20. What's going on in our app? @xeraa
  21. 21. DELETE or DROP? @xeraa
  22. 22. @xeraa
  23. 23. ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. @xeraa
  24. 24. OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding @xeraa
  25. 25. Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection @xeraa
  26. 26. Run sqlmap again python sqlmap.py --url "https://xeraa.wtf/read.php:8080? id=1" --purge @xeraa
  27. 27. Custom Rule SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'" SecRule REQUEST_METHOD "POST" chain SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))" @xeraa
  28. 28. @xeraa
  29. 29. Conclusion @xeraa
  30. 30. Examples https://github.com/xeraa/mod_security-log @xeraa
  31. 31. Code Logging ModSecurity @xeraa
  32. 32. Questions? Philipp Krenn @xeraa @xeraa
  • IanLi1

    May. 23, 2020

This talk combines two of the OWASP top ten security risks: * Injections (A1:2017): We are using a simple application that is exploitable by an injection and will then secure it with ModSecurity. * Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack. To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Views

Total views

172

On Slideshare

0

From embeds

0

Number of embeds

59

Actions

Downloads

0

Shares

0

Comments

0

Likes

1

×